[SERVER-13513] Unauthorized user able to run show dbs Created: 08/Apr/14 Updated: 10/Dec/14 Resolved: 08/Apr/14 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security, Shell |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Pratik Gadiya | Assignee: | J Rassi |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Operating System: | ALL |
| Steps To Reproduce: | Pre-requisite : a. User in admin database Steps: |
| Participants: |
| Description |
|
While switching between the users, the cache does not get refreshed automatically. It stores the first authenticated users privilege data. |
| Comments |
| Comment by Pratik Gadiya [ 08/Apr/14 ] |
|
HI Rassi, I used db.logout() command and now it is working fine. Thanks |
| Comment by J Rassi [ 08/Apr/14 ] |
|
Hi Pratik, Are you running db.logout() on the admin database before step 4 in your repro? Note that MongoDB connections support authentication to multiple databases at the same time; an explicit logout is required in order to relinquish the privileges of the user logged into the first database. ~ Jason Rassi |